6

Hello I would like to create a paypal buy button which has a dynamic set amount. I would like to pass the amount by a text input field within the form and the item_number by a hidden field.

The issue is that what ever I do I get a encrypted s-xclick button from the paypal website. This button does not allow hidden variables being placed in the form.

I think what I need is a xclick button. My goal is to allow users to increase their internally credit of my website.

EDIT (moving the addition to the question from the answer to the question)(from here @tokam:

To add this to the discussion I would like to show my current solution for the problem:

Here we have some Javascript validation which helps the user with the input. Recognize that it opens a lightbox on success

function validatePaypalForm()
{
    var val = $('#paypalPaymentAmount').val().replace(/\s*$/, "").replace(/,/ , ".").replace(/€$/, "");
    var errormsg = '';
    var ret, amountField;
    if( val==='' || isNaN( parseFloat(val) ) || !isFinite(val) )
    {
        errormsg = 'Bitte geben Sie einen gültigen Betrag an';
}else if( parseFloat( val ) < <?php echo $this->minimum?>  )
{
    errormsg = 'Das Einzahlungsminimum betr&auml;gt <?php echo $this->minimum?>&euro;';
}

ret = ( errormsg === '' );


amountField = $( '#paypalAmountField' );
if( ret )
{
    amountField.removeClass( 'error' );     
    $('#paypalAmountErrorMessage').html( '&nbsp;' );
    $('#paypalPaymentAmount').val( val );
    fb.start( 
        '<p><strong>Sie werden in kürze zur Seite von Paypal weitergeleitet.</strong></p>',
        'width:700 showPrint:false modal:true showClose:false showOuterClose:true showItemNumber:false closeOnNewWindow:false outsideClickCloses:true innerBorder:0 imageClickCloses:false scrolling: no'
    );

}else{
    amountField.addClass( 'error' );
    $('#paypalAmountErrorMessage').html( errormsg );
}

return ret;

} Here comes my button now. The issues I am having with are e.g. that it is easy for the user to set an other currency code. I could handle this in my IPN Listener by refunding the payment. Are there other issues which come with an unencrypted changeable button?

<form onsubmit="return validatePaypalForm();" class="stn-form" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<fieldset id="fieldset-p"><legend><span>2.</span>myproject Guthaben aufladen per Paypal Zahlung</legend>
<div id='paypalAmountField' class="field">
<label for='paypalPaymentAmount' >Betrag &euro;:</label>
<input id='paypalPaymentAmount' type="text" name='amount' value='' />
<span style='display:block;' id='paypalAmountErrorMessage' class='errorText'>'&nbsp;</span>

</div>
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="THE_ID_OF_MY_CLIENT">
<input type="hidden" name="lc" value="DE">
<input type="hidden" name="item_name" value="myproject Advertiser Vorkasse">
<input type="hidden" name='item_number' value="11500">
<input type="hidden" name="currency_code" value="EUR">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="1">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_paynowCC_LG.gif:NonHosted">
<input type="hidden" name="rm" value="1">
<input type="hidden" name='cbt' value="Zu myproject.de zur&uuml;ckkehren">
<input type="hidden" name="currency_code" value="EUR">
<input type="hidden" name="return" value="http://myproject.somedomain.net/advertiser/guthaben-aufladen/ret/success" />
<input type="hidden" name="cancel_ return" value="http://myproject.somedomain.net/advertiser/guthaben-aufladen/ret/canceled" />
<div class="actionrow">

<input type="image" src="https://www.paypalobjects.com/de_DE/DE/i/btn/btn_paynowCC_LG.gif" border="0" name="submit" alt="Jetzt einfach, schnell und sicher online bezahlen – mit PayPal.">
<img alt="" border="0" src="https://www.paypalobjects.com/de_DE/i/scr/pixel.gif" width="1" height="1">
</div>
</fieldset>
</form>
Jakob Alexander Eichler
  • 2,988
  • 3
  • 33
  • 49

3 Answers3

9

The reason you can't override the amount dynamically, is because you have a so-called 'PayPal hosted button'.
With a hosted button, the amount is stored on PayPal's side and can't be overwritten with the 'amount' variable. You'll either want to use a non-hosted button, or use the BMUpdateButton API call to dynamically update the button's amount.
To use a non-hosted button, simply find 'Step 2' in the button creation tool and untick 'Host button with PayPal'.

Option 2: Still use the hosted button, and use the BMUpdateButton API to update the amount. An example request for BMUpdateButton would look as follows:

USER=Your API username
PWD=Your API password
SIGNATURE=Your API signature
VERSION=82.0
HOSTEDUBTTONID=The value of <input type="hidden" name="hosted_button_id" value="">
BUTTONTYPE=The type of button. E.g. BUYNOW
BUTTONCODE=The type of code you want to get back. E.g. HOSTED
L_BUTTONVAR0=amount=The new amount with a period as separator
L_BUTTONVAR1=item_name=Optional: a new item name if you wish

Similary, you could also use the BMCreateButton API to create a new button, or use the BMButtonSearch API to search through a list of all your stored hosted buttons (to find the hosted_button_id of your button automatically, for example)

The reason to use a hosted button is because it's more secure. A non-hosted, unencrypted button would basically leave the amounts open to manipulation. Fraudulent transactions waiting to happen.

Robert
  • 19,326
  • 3
  • 58
  • 59
  • I want the user to be allowed to type in the amount but preferably I would like to be sure the currency code is not changed by the user. I think it is unfair that they voted my question down. This is not too simple and I googled hours before asking! – Jakob Alexander Eichler Nov 20 '11 at 22:28
  • The answer above still applies. You can allow the buyer to enter an amount, then take that amount, call the BMCReateButton API, send the amount, get the hosted_button_id and redirect the buyer to PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=response_for_hosted_button_id_here) – Robert Nov 20 '11 at 22:44
  • I implemented the unencrypted solution but I experienced that it is possible by post variable manipulation to change the currency code. I could either catch that now in my ipn listener and refund the payment in that case but I cam going to spend some time to try to implement your solution. What do you think? I need the refund with soap or nvp anyway. I will show you what I already have. – Jakob Alexander Eichler Nov 21 '11 at 00:28
2

you shouldn't use xclick which isn't encrypted . the way I solved this is using paypal button api - with some kind of caching in the client so you won't do the whole http request response every time.

note that paypal uses 2 types of api - the NVP which is sort of restful (also not really) and SOAP (I used the NVP method)

you could also generate the the encrypted button in your server using openssl - but I run into unsolvable problems with this method and couldn't get any help for that either here or in paypal horrible developer forums

edit: the problem with not encrypted buttons are that anyone using firebug (not talking about more advanced tools) could interecept a payment and change the cost etc'..

If you insist in that direction you could follow the simple html form from paypal to create this button. you do it in paypal site and create an unencrypted button and then just edit the html and change the needed field to <?php $variable?>. I would strongly advice against this path.

alonisser
  • 11,542
  • 21
  • 85
  • 139
  • what is your advancement of using the api? what are the risk of non encrypted buttons? on 1a-android.de I run a non encrypted button which works fine but it is a donate button and i forgot how i managed to get one without the api and without s-xclick e.g. here http://www.1a-android.de/android-spiele/farm-story-nachbarn/ – Jakob Alexander Eichler Nov 20 '11 at 19:05
  • I found this now http://support.qualityunit.com/knowledgebase/post-affiliate-pro/tips-tricks/how-to-create-paypal-non-hosted-non-encrypted-buttons.html but I am not sure if it is secure enough that way. I must check that the currency code will not be changed by the user. – Jakob Alexander Eichler Nov 20 '11 at 19:28
  • that is the unsecure unencrypted way! but it will work, I tried it – alonisser Nov 20 '11 at 19:37
0

I think this might work for you if you update ... "you@yoursite.com" ... it's non encrypted and still seems to host on paypal's site for clearing

drop the: value="my_default_price" if you want the user to enter it into a blank text box ... for my page, prices are tied to the price of gold, so I have to dynamically update the variable "amount" and i just leave off value=

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="you@yoursite.com">
<input type="hidden" name="item_name" value="example description">
<input type="hidden" name="item_number" value="">
<input type="text" name="amount" value="my_default_price">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="return" value="http://www.yoursite.com/returnpage.php">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="lc" value="US">
<input type="hidden" name="bn" value="PP-BuyNowBF">
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but02.gif" border="0" name="submit" alt="Make your payments with PayPal. It is free, secure, effective.">
<img alt="" border="0" src="https://www.paypal.com/it_IT/i/scr/pixel.gif" width="1" height="1">
</form>
James Andrews
  • 1